Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Bruno Wolff III bruno at
Wed Nov 25 03:32:44 UTC 2009

On Tue, Nov 24, 2009 at 10:33:16 -0500,
  Todd Zullinger <tmz at> wrote:
> What I'm here for is to gather ideas for how to properly go about
> building the mingw32-sha256sum and keeping it around so that when I
> extract the sha256sum.exe and upload it to we will
> have the koji built rpm to compare the binary against.  Otherwise, the
> whole process falls back to "Trust that Todd didn't trojan the
> executable."  And while I'd be flattered if folks had that much trust
> in me, I think it would be unwise to encourage or expect. :)

I was thinking about what the gpl requirements are for publishing 
executables built with mingw are for another project that might be
set up on fedorahosted. Since mingw stuff is likely to include staticly
linked libraries, I think you need to have pointers to the sources for
the versions of all of the included libraries.

So while I haven't asked someone about this before, I was thinking that
I would probably need to determine the libraries that got linked in and
then note the versions that were used to do the build and include links
into koji for all of the involved src rpms prominently on the download

More information about the Fedora-infrastructure-list mailing list